Source file audit - 2013-11-17

Till Maas opensource at
Sat Nov 23 11:52:09 UTC 2013

On Thu, Nov 21, 2013 at 08:41:21PM +0200, Ville Skyttä wrote:
> On Thu, Nov 21, 2013 at 4:53 PM, Björn Persson
> <bjorn at> wrote:
> > Ville Skyttä wrote:
> >>spectool is not a source verification tool nor a certificate
> >>validation one, and I'm not going to help people get the misconception
> >>that it might be something like that.
> >
> > So how do you think the verification should be done?
> Um, source verification needs to be done... by verifying the sources?
> Diligence how deep maintainers want to go and their competence levels
> vary, but there's really no way around it. Standard procedures for
> checking the authenticity of sources should include GPG/signature
> checking (if available), checksum checking (if available, hopefully
> signed), and cross checking with other consumers (e.g. other distros,
> if available). And authenticity checking is not verifying the sources
> nor enough -- upstreams make mistakes too, and packagers should really
> know what they're shipping, read and understand diffs between releases
> etc etc.

How many packagers do this?

> > If an upstream project doesn't PGP-sign the tarballs but does make them
> > available over HTTPS, then the TLS connection is the only thing that
> > ensures that the tarball you receive is the one that the developers
> > published.
> No, it doesn't, at all. For example the server may have had all its
> content compromised and serve all that over an HTTPS connection that
> passes whatever validity and authenticity checks one might want to
> throw at it.

Even if you read the diff, it might not help, because an important fix
for a vulnerability might be missing. So there is no 100% security.
However using HTTPS URLs with sane software should allow to trust that
the TLS connection was properly verified. With the change you risk also
persons who are e.g. upstream and Fedora maintainers using HTTPS URLs to
fetch their published tarball. There is no need for them to use other
out-of-band validation techniques to verify that the tarball they
downloaded is the same they uploaded unless they have reasonable doubt
about their system.

However, if you do not want to use HTTPS to verify the transfered
contents then just use plain HTTP. Using HTTPS but not verifying the
server's certificate makes things only worse as long as no secret
contents are transmitted.


More information about the devel mailing list